Recipients of Office 365 Encrypted Emails will sometimes receive HTML attachments having broken links or HTML scripts removed from the encrypted attachment thereby making them unable to access the encrypted emails.
Received encrypted emails have their links, images, or scripts removed even though the UI logs show the message was processed as [OK].
This article describes a solution to this problem that is caused by the HTML Sanitizer or the Email Exploit Engine scrubbing the encrypted attachments for malicious tags. The procedure described is applicable to the various forms of email encryption such as Office 365 Encrypted (Secure) Messages or Cisco Secured Emails (Registered Envelope Service, also called SecureDoc).
When the HTML Sanitizer module acts upon an email to remove malicious scripts and tags, the Dashboard logs would not show this information but the actions taken will always be logged in the debug logs. You can obtain more details on the removed scripts by enabling tracing and examining the debug log file for the HTML Sanitizer found in the location below:
..\GFI\MailEssentials\EmailSecurity\DebugLogs\Html Script Removal.gfi_log.txt
Before proceeding, it is advisable to confirm that the root cause is MailEssentials by temporarily disabling scanning emails as described here: Enabling or Disabling GFI MailEssentials Processing. If the issue persists with mail scanning disabled then the cause is unrelated to MailEssentials and troubleshooting should continue by checking other external components affecting the mail flow.
Encrypted emails are usually sent as an HTML attachment with a standard filename. In the case of Office 365 Encrypted Email, this attachment is called message.html.
The HTML Sanitizer engine can strip this attachment of certain scripts leaving broken links and the recipients unable to open the email.
Although the encrypted emails are from a trusted source, the method in which they are being sent legitimately registers as an email exploit.
The HTML Sanitizer allows for senders to be whitelisted to avoid HTML scrubbing or alternatively scanning inbound emails can be disabled for this engine.
Since there is no whitelisting functionality for the Email Exploit Engine, the workaround is to disable the specific rules that trigger emails with HTML attachments.
Follow the below steps to isolate the root cause and allow the HTML attachments for encrypted emails to pass through unchanged.
- Open the MailEssentials Configuration console
- Expand the EmailSecurity node, then click on the HTML Sanitizer to open its properties
- Select the Whitelist tab and make an entry for the address that is sending the encrypted emails.
- Expand the Email Exploit Engine node and click on Exploit List
Check off Rule IDs 7 and 10, then hit the Disable Selected button.
- Click Apply to save the changes and send a test encrypted email to confirm the operation is successful.
The encrypted email should now bypass the HTML Sanitizer and the Email Exploit Engine and should be delivered without any changes to the HTML attachment.
If the issue still persists, please generate the troubleshooting logs as follows:
- Make sure that you have tracing enabled.
- Wait for at least 30 minutes to gather enough information and for the issue to be reproduced.
- Run the troubleshooter:
- Start > Programs > GFI MailEssentials > Troubleshooter
- Follow the Log Generation Wizard for collecting the required and pertinent information.
- Select New Case when completing the log generation to attach the logs to a new case that will be automatically created, or open a support ticket manually and attach the logs to that ticket, so that the Support team can investigate the problem.